Chapter 29 Safety Considerations in the Ground Environment 

29.1 Introduction 


In the history of humankind, every great space adventure has begun on the ground. While this seems to be 
stating the obvious, mission and spacecraft designers who have overlooked this fact have paid a high price, 
either in loss or damage to the spacecraft pre-launch, or in mission failure or reduction. Spacecraft personnel 
may risk not only their flight hardware, but they may also risk their lives, their co-workers lives and even the 
general public by not heeding safety on the ground. Their eyes may be on the stars but their feet are on the 
ground! 

One additional comment: Although the design requirements are very different for human rated and non- 
human rated flight hardware, while on the ground that flight hardware (and its ground support equipment) 
doesn’t care about what it is flying on. On the ground, additional requirements are often levied to protect the 
work force and general public. 

(Authors’ Note: The source material for this chapter is primarily taken from the Kennedy Space Center 
Handbook (KHB) 1700.7/45 SW Handbook S-100 Space Shuttle Payload Ground Safety Handbook and the 
authors’ personal experiences.) 

29.2 Scope 

The scope of this chapter covers safety considerations while performing flight hardware operations in the 
ground environment both pre-launch and post-flight. While there are no ground safety requirements unique 
to just the return of a spacecraft, personnel must apply the same care and precautions as they do pre-launch. 

This chapter is not intended to cover launch vehicles. While many, if not all of the principles to be discussed 
here may be applicable, launch vehicles by their very nature operate in a consistent environment and in order 
to control costs, depend very much on common configurations and stable processes. On the other hand, 
spacecraft tend to be unique with variation from spacecraft to spacecraft, usually dependent on mission 
specifications. 

The principles covered in this chapter are not intended to be all inclusive but are general in nature. They are 
also to be considered generic; that is, they are not meant to contradict specific requirements at any particular 
ground processing site. All flight hardware designers and operators are required to be cognizant of the 
requirements of the site where they are operating. 

29.3 A Word about Ground Support Equipment (GSE) 

In the broadest definition of GSE, it is that equipment related to the flight hardware that does not fly. 
Throughout the world, there are numerous names associated with GSE - Test Equipment, Factory 
Equipment, etc.; but they all mean the same. 

GSE generally is designed and operated in accordance with the national laws of country that produces it. 
While there is great commonality across the world, GSE will be beyond the scope of this chapter. Personnel 
are urged to open the lines of communications as early as possible with the appropriate authorities in order to 
ascertain the correct requirements for their GSE. 

29.4 A Word about Documentation and Reviews 



While the processing of the flight hardware is the primary focus, safety documentation and reviews are an 
essential part of the safety process. Safety documentation and reviews provide the assurance that safety 
considerations have been identified, incorporated and verified in the hardware and facility design and 
operations. Safety reviews and documentation report the compliance to safety requirements, and 
assessments performed to identify the risk to personnel, resources and/or mission, and the proposed or actual 
steps to mitigate the risk to an acceptable level. 

The reviews and documentation are typically linked to major program milestones and are presented to 
program management, processing and launch complex operators, and sponsoring agencies for approval. 
Complexity of the documentation and required submittal dates and process will vary with the mission. Early 
contact with the approving authorities is recommended to establish an understanding of applicable 
requirements and their expectations. 

29.5 Roles and Responsibilities 

Integration and eventual launch of flight hardware requires the coordination of numerous personnel from a 
variety of organizations working with supporting equipment and ground infrastructure. The efforts of the 
mission team may require work with hazardous materials or in a hazardous environment, either as part of 
their own activities, or in conjunction with integrated activities. 

A hardware provider is responsible for providing safe systems, equipment, facilities and materials and 
conducting operations in a manner that complies with established safety requirements. They are also 
responsible for the preparation, coordination and certification of documentation that provides assurance that 
their employees, other launch site personnel, and the general public are not exposed to unacceptable risk. 

Employers are responsible for the safety of their personnel. Final authority and safety at the launch site rests 
with the range, who ensures that operations at the range are reviewed coordinated and approved to ensure 
range and public safety. 

29.6 Contingency Planning 

Even with the best design, implementation and planning, an unexpected event may occur that will challenge 
the best engineering team. Consideration for contingencies early in the design will aid in expediting a 
solution to ensure safety, and minimize the impact to hardware, schedule or cost. 

Planning for a contingency falls in two major areas. Programmatic plans are developed to respond to non- 
operational events typically beyond a program’s control, such as earthquakes, hurricanes, electrical power 
interruptions, or even labor disputes resulting in lengthy launch delays. Contingency plans are also 
developed for responding to anomalies or emergencies that may occur during ground operations such as 
propellant leaks or spills, or emergency power-up or down of hardware. Hardware designs should support 
the implementation of these plans, providing features such as accessibility to service points such as 
pressurant and propellant service valves, calibration requirements, battery charging, installation and removal 
of protective and contamination covers, and access to safing plugs to render ordnance systems safe. All 
operational plans should include back-out steps to safe hardware if an unintended event occurs during 
processing. In addition, operational capability should be addressed for limited life items, such as battery 
reconditioning or replacement. 

29.7 Failure Tolerance 


Failure tolerance in the flight hardware during ground operations is very much dependent on the failure 
tolerance methods used to protect the hardware on orbit. However the opportunity for human error is much 



greater on the ground, if only from the fact that the flight hardware can be physically accessed. This scenario 
is particularly true during troubleshooting. When planning spacecraft ground processing, designers must 
include in their analyses the interaction between the flight hardware, GSE, ground facilities, and operators. 
During troubleshooting, inhibits and controls often have to be removed to uncover or to test anomalies. If 
the processing team fails to properly plan its troubleshooting steps or monitor the test, catastrophic results 
can occur from the removal of too many controls. A suggested method for tracking inhibits or controls 
would be to place them in a matrix, where they are visible and available to the test planners. This can also 
serve as an aid when seeking approval for the test from local approving authorities. 

29.8 Trainine 

Employers should ensure that their employees receive adequate training for the activities they perform and 
knowledge of the potential exposure to hazards. Certification may be required for certain specialized tasks 
such as crane operations, propellant, and ordnance handlers; government, corporate and local operating 
requirements may vary. 

Personnel shall also be trained for identifying and responding to the hazards they may encounter in the work 
area. This would include precautions in working with hazardous materials that may be present, personnel 
protective equipment required and its use, location of emergency equipment and procedures, reporting of 
emergencies and responding to alarms, and the location and use of emergency equipment and first aid 
techniques. 

Personnel training should include the use of safety processes such as the lock out and tagout of equipment to 
prevent inadvertent energizing. Pathfinder operations conducted to enhance operational familiarization and 
respond to emergencies should be included in operational training requirements. 

29.9 Hazardous Operations 

When operating in the ground environment, the operator must keep in mind the presence of personnel and 
other high value hardware; as well as the facility. Spacecraft operations while on orbit can have devastating 
effects on the ground. For instance, the ignition of an upper stage or thruster may have minimal external 
effect on orbit; but, on the ground the same operation could be deadly. There are situations, were the 
inherent fault tolerance of a system must be compromised, or very nearly so, to achieve the validation of 
system operation prior to launch. There are also hazards associated with normal servicing, such as with 
fluids or gases. Because of these situations, the prudent operator will designate these occasions as hazardous. 

The designation of which operations are hazardous are derived from hazard analyses or the requirements of 
the processing facility/area. In the case of hazard analyses, the designation of an operation as hazardous can 
be a hazard control. Processing facility requirements are often the culmination of years of experience with 
many of the requirements the result of accidents or near misses. 

When conducting operations on the ground, whether hazardous or non-hazardous, the key to success is 
centered on having written step-by-step procedures as well as a structured process for their development. 
Well-written and well-coordinated procedures serve multiple purposes. These include assurance that the test 
team and support organizations are aware of the procedure, hazard controls are documented and in the 
correct location relative to the hazard and providing a written record of the actual test in the event of 
problems later in processing. The importance of written procedures can not be understated. 

When planning ground operations, conducting concurrent hazardous operations is not considered a good 
practice. This usually involves overlapping control areas and can lead to confusion among the test team with 
the possibility of competing priorities. 



A well run ground campaign will recognize the hazardous nature of preparing a spacecraft for launch and 
will have in place the procedural processes to control these hazards in order to protect people, other flight 
hardware and facilities. 

29.10 Tools 


Tools are the most essential and overlooked element, but without the proper tools, operational activities 
could not be performed safely. The tool can be as simple as a screwdriver or complex as computerized test 
equipment, but improperly selected or used on the job, they may lead to a hazardous condition. 

For a hazardous operation, all tools are required to be identified in the hazardous technical operating 
procedure. The safety review of the procedure would include an assessment of the tools to ensure they are 
appropriate for the operation, to ensure that another hazardous situation would not be caused by their use, or 
to ensure that operational support or approval is required as a condition of their use. 

While tools obviously are selected to accomplish a task, other criteria may affect their selection or use. For 
example, working in the vicinity of sensitive instruments may require the use of non-magnetic tools. Tools 
that generate high temperatures may require ‘hot work’ permits, special shields or barriers, removal of 
combustible material, and fire protection equipment. 

Electrical test equipment poses additional hazards in addition to grounding concerns and potential exposure 
to energized electrical circuits. Electrical equipment shall only be used in the environment it is designed for. 
Operating areas where a potential exists for a propellant leak requires the equipment to be explosion proofed, 
hazard-proofed, or purged. 

Pathfinder operations should be planned to demonstrate the adequacy and function of the tools and 
equipment for an operation. In this assessment, special attention should be given to areas including ease of 
use, accessibility, visibility, and personnel protective equipment that may be required for the operation that 
may impact performance. 

Equally important as selecting the appropriate tools is accounting for them. Hand tools should be tethered at 
all time to prevent a tool from being lost, or accidentally dropped and resulting in hardware damage or 
personnel injury. A tool control plan should be instituted to ensure that all tools are identified and accounted 
for. In addition, tools may require segregation to prevent undesired reactions. For example, the same tools 
used on a hydrazine system should not be used on an oxidizer system. 

29.11 Human Factors 


Human factors can affect the interface between personnel and the flight hardware. The spacecraft designer 
must be cognizant of these issues when considering the how the spacecraft will be serviced on the ground. 
The placement about the spacecraft of servicing panels and connections is critical in avoiding errors leading 
to accidents. For instance, the placement of a battery connection that requires the technician to stand with his 
back to the connection point and reach over and behind his head to accomplish the task is fertile ground for 
an accident (and it was). Some accidents such as this can be prevented by design (in this case, scoop proof 
connectors); but not always. 

The prevention of human error is essential. It is important to design hardware with this in mind. Design is 
the preferred solution; but procedural controls can be used if necessary. The labeling of equipment controls 
is critical. When developing procedures for real-time operations or troubleshooting; the interface of 



personnel with the flight hardware shall be considered. This is especially important is the location of the 
work is in an area not previously intended for access. 

Exposure of personnel to hazardous materials shall be avoided where possible through the implementation of 
adequate design features, such as redundant seals. In the event this may not be possible or there is active 
handling of hazardous materials, such as during fueling, personnel shall be provided the appropriate 
protective gear. 

Physical contact with the flight hardware (spacecraft or individual experiment); needs to be accounted for in 
the design. This includes contact with sharp surfaces or protrusions, rotating surfaces and high or low 
temperatures. Adequate shielding, barriers, guards, or procedures for moving or removing the items shall be 
used. Adjustments needed for electrically powered areas are best made with the power off; otherwise, shock 
protection must be provided. 

The interaction of personnel with hardware must be accounted for at all times whether for routine processing 
or troubleshooting. 

29.12 Biological Svstems/Materials 

Biological systems cover the range from plant growth experiments to human medical experiments. Because 
the possibilities of injury or potential harmful effects; hardware containing biological material requires 
special attention. This attention applies to both launch and return. 

Although a biological experiment or sample may have a low toxicity on orbit; this doe not necessary translate 
to the ground environment; especially in the area of sample preparation. A low toxicity material on orbit, 
like vinegar, will be a higher toxicity when in the form of glacial acetic acid on the ground. The protection 
of personnel, both on the ground and in flight, is directly linked to the hazard presented by the material. 

A special biological system that requires advance planning is trash containing biological material. Special 
care must be taken when handling this material. Not only the potential presence of biologically active 
material needs to be considered but also the presence of contaminated physical material such as needles and 
swabs. It is important that all personnel handling such material be made aware of the contents in order to 
avoid inadvertent contamination. 

Whether in the form of a live virus, a human blood sample or trash, it is the responsibility of the 
investigator/operator to assure the compliance with all programmatic and legal requirements. A close 
coordination with the appropriate authorities is required. 

29.13 Electrical 


Electrical ground support equipment and facilities should be designed to industry consensus standards. 
Equipment designs should ensure that a connection can not be inadvertently reversed or mated, personnel are 
provided protection from accidental contact of energized components, and grounding or bonding schemes to 
ensure that equipment is at ground potential at all times. 

Special attention should be placed on battery charging and conditioning operations. Equipment design 
should incorporate protective devices such as fuses, diodes, and voltage and current limiters, and have 
temperature and pressure monitoring ability. Continuous monitoring by personnel should occur during 
charging and conditioning operations. 



Frequently, commercial-off-the shelf electrical equipment is utilized to support ground processing 
operations. This equipment should only be used in accordance with the manufacturer’s intent and in the 
intended environment; any modification or integration with other equipment should be carefully assessed. 

In the event that troubleshooting, maintenance, or repair of electrical equipment is required, the activities 
should be performed in accordance with a documented process, and in accordance with accepted industrial 
practices. Special precautions are mandatory, such as lockout and tagout of devices to prevent the accidental 
application of power to equipment undergoing service. 

29.14 Radiation 

Radiation in the ground environment is classified in two categories- non-ionizing and ionizing. Safety 
controls are requires for radioactive materials (flight and ground calibration emitting sources), radiation 
producing equipment, including x-ray devices and RF emitters, lasers, and optical emitters (high intensity 
light, infrared, etc.). Safety requirements in the ground environment provide specific engineering and 
operational controls for both types. All radiation sources and associated equipment shall be designed to 
ensure that personnel exposures and potential for release are as low as reasonably achievable, but not 
exceeding the applicable regulatory limits. 

Flight radioactive sources should be installed as late in the countdown as practical, and be handled only by 
approved personnel. Radioactive sources not in use should be secured against unauthorized access. Controls 
should be established to permit access only to authorized personnel, and personnel exposure should be 
monitored. 

Major radiological sources such as radioisotope heater units and radioisotope thermoelectric generators pose 
a greater risk and have additional requirements. Dedicated processing facilities may be required, with more 
stringent controls placed on the storage, access, use and operations associated with major sources. Approval 
for flight requires an increased coordination, with the accompanying analyses, safety assessments, and 
coordinated contingency planning. 

In addition to exposure limits, non-ionizing sources and their controls should be assessed to preclude 
inadvertent operation. Integrated hazard assessment should also be performed to ensure that RF transmission 
does not inadvertently affect launch vehicle or spacecraft systems. 

Optical and lasers systems require engineering controls including beam stops, limit stops, interlocks and 
shields. Materials used as targets or subject to exposure should be non-flammable and not emit toxic 
materials. Appropriate personnel protective equipment should be utilized to protect from hazards associated 
with specific wavelengths, temperature extremes, and gases. 

29.15 Pressure Systems 

The design requirements of pressure systems are well defined in other chapters in the book or in other 
locations. Of greater concern is the operation of these systems on the ground. 

An important datum to track is the level that the pressure system has been tested. Each new level of 
pressurization introduces different stresses to the system. As these pressures are increased, remote 
pressurization may be required in order to protect personnel. 

Special care should be taken to ensure that any venting done by a pressure system, whether planned or 
unplanned, is done in such a way as to not create a hazardous condition. Also it is good practice to design 



pressure system connections such that it is physically impossible to mix incompatible fluids such as 
hypergolic fuels and oxidizers. 

The increasing use of composite overwrapped pressure vessels (COPVs) requires special mention. At all 
times COPVs are very sensitive to impact; but even more so in the ground environment because of the ease 
of access. It is important that an impact protection plan be developed and adhered to. Compliance with 
national or local standards is necessary for successful processing. 

While on the ground, all pressure systems require the utmost care and respect to avoid immediate or future 
damages. 

29.16 Ordnance 


Ordnance devices can vary in size from small hand-held safe devices to larger devices that can initiate a 
chain of events causing injury or death. Initiation of ordnance devices will occur whether the ignition input 
is intentional or inadvertent; the low energy inputs provide design advantages but result in potential safety 
hazards. As these devices cannot be functionally operated, statistical reliability, production controls, and 
ground processing controls ensure performance and safety. 

All ordnance shall be stored as determined by its hazard classification and compatibility. Faraday caps shall 
be installed on ordnance until electrical connections are made. Ordnance test equipment shall limit the 
energy input to the device. 

Ordnance devices and systems are required to be designed to preclude inadvertent firing when subjected to 
such environments such as shock, vibration, and static electricity encountered during ground processing. 
Ordnance circuit, hardware design, and accessibility shall permit circuit interrupts as close to the device and 
as possible, and connection as late as possible prior to launch. 

29.17 Mechanical/Electromechanical Devices 


Flight hardware that contains deployment mechanisms must have the necessary controls in place to prevent 
inadvertent activation. These mechanisms include such items a solar arrays or sample gathering devices. 
Even if deployment is non-hazardous, controls are highly recommended to assure mission success. Special 
care must also be taken during troubleshooting or repairs to prevent injury or damage. 

29.18 Propellants 

Propellants utilized in space vehicles vary in composition, form and reactive properties. A single launch 
vehicle and spacecraft may include inert Xenon gas, multiple solid rocket motors composed of homogeneous 
or composite propellants, Aerozine-50, nitrogen tetroxide, RP-1, and liquid oxygen. As each of these 
materials has distinct physical and reactive properties and the potential for a catastrophic hazard, the safety 
considerations during ground processing are extensive and result in closely monitored ground operations. 

Considerations in the storage, transfer, and handling of propellants include material compatibility of system 
components, separation from reactive materials, capability to isolate system leaks, and electrostatic 
properties of materials. Emphasis is also placed on protecting the personnel performing propellant 
operations or subsequent processing activities with the use of protective garments, toxic vapor detection, 
venting and scrubbing of vapors, explosion-proofing of electrical equipment, and emergency planning. 

An excellent source of information for the properties and hazards of propellants is Chemical Propulsion 
Information Agency (CPIA) Publication 394, Hazards of Chemical Rockets and Propellants . 




29.19 Cryogenics 


In general, cryogenic systems must comply with the same requirements as apply to propulsion systems. 
However, due to their unique physical properties, additional requirements are often levied. 

• 

These additional requirements deal with prevention of the inadvertent conversion of liquid to gas and its 
subsequent pressure rise. The use of pressure relief devices or insulation is required in those parts of the 
system where this is a possibility. The liquefaction of air must also be taken into account when designing 
cryogenic systems. Joints in cryogenic systems are recommended to either butt-welded, flanged, bayonet or 
hub type. 

In addition to these requirements, the servicing of flight hardware with cryogenics is subject to the 
requirements of the processing site. 

29.20 Oxygen 

Safe design development and operation of oxygen systems require special knowledge and understanding of 
design practices, materials, the ignition mechanism, manufacturing techniques and operational controls. 

Materials that are highly reactive must be avoided, and those less reactive but still flammable should be 
protected from all ignition sources. Cleanliness of oxygen systems is important; particles could ignite or 
cause ignition when impacting other components of the system and organic compounds such as hydrocarbon 
lubricants can ignite easily. 

Oxygen systems should be analyzed to ensure leak prevention, adequate ventilation, suitable design of 
system components and system cleanliness. Systems should be designed with sufficient redundancy to 
provide adequate fault tolerance to provide for system integrity and personnel safety. 

29.21 Ground Handling 

In general terms, the handling of flight hardware is enveloped by the need to sustain flight dynamics. This is 
a truism as long as the dynamics to be experienced on the ground fit the envelope. 

Two special cases need to be considered during the design phase. The first involves which attach points will 
be used during ground handling and the second is accounting for the potential for tip-over. In the first case, 
if the spacecraft is using its flight attach points for handling, then further analysis is not required. If other 
points will be used, then the designer must ensure the expected loads are allowable for those points. This is 
especially important for those spacecraft being launched on a rocket where the loads are transmitted through 
the base. In the second case, all flight hardware should have a center-of-gravity analysis performed to ensure 
the hardware does not tip, fall, slide or allow for any type of sudden load shift while be handled on the 
ground. This should be of particular interest to those pieces of hardware that are lifted from below the center 
of gravity. 

29.22 Software Safety 

Software safety assessment is required in the ground processing environment to ensure that flight or ground 
software does not contribute or cannot cause a hazardous condition from occurring, or alter sys.tem(s) 
configuration to the point where the potential risk of a hazard increases. 



Embedded systems can exercise or provide real-time control of a system without any direct user interface. 
Commands could inadvertently open valves, power transmitters, start sequence timers, allow power to relays, 
and remove other systems/safety inhibits. The use of mechanical interrupts such as sating plugs, or safe and 
arm devices, provide a positive verifiable inhibit. 

At the highest level, ground safety assessments should ensure that critical commands are identified and 
adequately blocked from execution. Sufficient independence should exist for software inhibits, and be 
supplemented by controls such as watchdog timers and improper sequence detectors. Safety critical software 
should be closely configuration controlled to segregate ground test and flight software. 

29.23 Summary 

As with life, the preparation for a mission in space is often fraught with as much peril as the journey itself. 
The preparation for the launch of a spacecraft is a dynamic event with numerous hurdles to overcome. The 
return of a spacecraft or experiment can also be perilous as the mission team may let its guard down because, 
after all, isn’t the mission over? The mission team that can focus on and clear these hurdles is well on the 
way to a successful mission. 



